CN112839029B - Botnet activity degree analysis method and system - Google Patents

Botnet activity degree analysis method and system Download PDF

Info

Publication number
CN112839029B
CN112839029B CN202011531361.0A CN202011531361A CN112839029B CN 112839029 B CN112839029 B CN 112839029B CN 202011531361 A CN202011531361 A CN 202011531361A CN 112839029 B CN112839029 B CN 112839029B
Authority
CN
China
Prior art keywords
botnet
domain name
enterprises
logs
analyzing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011531361.0A
Other languages
Chinese (zh)
Other versions
CN112839029A (en
Inventor
马刚
王辉
潘文苹
吴炳辉
张琳
赵国领
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan Information Consulting Design And Research Co ltd
Original Assignee
Henan Information Consulting Design And Research Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan Information Consulting Design And Research Co ltd filed Critical Henan Information Consulting Design And Research Co ltd
Priority to CN202011531361.0A priority Critical patent/CN112839029B/en
Publication of CN112839029A publication Critical patent/CN112839029A/en
Application granted granted Critical
Publication of CN112839029B publication Critical patent/CN112839029B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present disclosure provides a botnet liveness analysis method and system, wherein the method comprises: extracting botnet alarm logs from the safety alarm logs according to preset query conditions; classifying and analyzing the security alarm logs aiming at each botnet family to obtain a corresponding botnet domain name, and extracting an attack alarm log set corresponding to the botnet family according to the botnet domain name; analyzing DNS logs associated with the botnet domain name to acquire a command for accessing the botnet and DNS log information of the C & C Server domain name of the control Server, and tracing out other domain name information accessed together; summarizing the botnet alarm logs and DNS logs associated with the botnet domain names, performing source tracing analysis on the summarized logs, and analyzing the number of industrial enterprises controlled by the botnets, the number of IP addresses corresponding to the industrial enterprises, the attack times and the like.

Description

Botnet activity degree analysis method and system
Technical Field
The present disclosure relates to the field of network security technologies in industrial internet, and in particular, to a method and a system for analyzing a botnet liveness, an electronic device, and a computer-readable storage medium.
Background
Botnet refers to a network formed by an attacker or a controller spreading botnet programs to control a large number of hosts and one-to-many commands and control channels, and achieves the purpose of sending control instructions to a controlled computer and instructing a parasitic trojan horse to execute a preset malicious action.
In the prior art, a botnet is an important security threat, and at present, a network security probe is mainly deployed in metropolitan area network traffic, so that the deployment is complex, the cost is high, and the large-range coverage of industrial enterprise traffic cannot be realized. So that the activity condition, the influence range and the like of each botnet family in the industrial enterprise cannot be mastered.
Therefore, an effective technical means is urgently needed to quickly monitor the active situations of the botnet families currently mainstream in the industrial enterprises, including the quantity and the ranking of the industrial enterprises influenced by each botnet family, the quantity and the ranking of the IP addresses of the influenced industrial enterprises, the attack times and the ranking and the like, and provide data support for the follow-up work of a supervision unit. Therefore, the problem that the controlled condition of the botnet corresponding to the industrial enterprise cannot be analyzed in the prior art is solved, the monitoring flow cost for covering a large number of industrial enterprises is reduced, and the latest activity condition of the botnet in the industrial enterprise is mastered more comprehensively and timely.
Disclosure of Invention
In view of this, an object of the embodiments of the present disclosure is to provide a method and a system for analyzing the liveness of a botnet family, which are used for timely grasping the liveness of the botnet family in an industrial enterprise, including the number of industrial enterprises currently controlled by the botnet family, the number of botnet hosts of the industrial enterprise, and the active situation of communication between a botnet server and a controlled botnet host, so as to timely grasp botnet family information with a large hazard, and provide data support for further handling and reporting.
According to a first aspect of the present disclosure, there is provided a botnet liveness analysis method, applied to an industrial internet, including:
extracting a botnet alarm log from the safety alarm log according to a preset query condition, extracting a botnet family from the botnet alarm log, and removing duplication;
classifying and analyzing the security alarm logs aiming at each botnet family to obtain corresponding botnet domain names, and extracting attack alarm log sets corresponding to the botnet families according to the botnet domain names;
analyzing DNS logs associated with the botnet domain name to obtain a command for accessing the botnet and DNS log information of a C & C Server domain name of a control Server, tracing out other domain name information commonly accessed, extracting a portion of the other domain names which is judged to be the C & C domain name to obtain a botnet family to which the portion belongs, and expanding the portion to a botnet domain name feature library;
the method comprises the steps of collecting botnet alarm logs and DNS logs related to botnet domain names, conducting traceability analysis on the collected logs, locating enterprises corresponding to the botnet hosts, analyzing national economic classifications of the enterprises to obtain industry attributes of the enterprises, screening industrial enterprises influenced by the botnet domain names according to the industry attributes of the enterprises, analyzing the number of the industrial enterprises controlled by the botnets, the number of IP addresses corresponding to the industrial enterprises and the attack times, and analyzing the activity conditions of the botnet families.
In one possible embodiment, the botnet alert log comprises at least: attack time, threat category, severity level, attack end IP, destination end IP, source port, destination port, source IP service, destination IP service, transport layer protocol, application layer protocol, attack load, domain name, and the family to which the domain name belongs.
In one possible embodiment, the DNS log information includes at least: domain name, destination IP, source IP, volume of access.
In one possible embodiment, the method for determining whether the other domain names are C & C domain names includes: domain name similarity algorithm.
According to a second aspect of the present disclosure, there is provided a botnet liveness analysis system, applied to an industrial internet, including:
the botnet family extracting unit is used for extracting a botnet alarm log from the safety alarm log according to a preset query condition, extracting a botnet family from the botnet alarm log and removing duplication;
the alarm log analysis unit is used for classifying and analyzing the safety alarm logs aiming at each botnet family to obtain a corresponding botnet domain name, and extracting an attack alarm log set corresponding to the botnet family according to the botnet domain name;
the DNS association analysis unit is used for analyzing DNS logs associated with the botnet domain names, acquiring commands for accessing the botnets and DNS log information of C & C Server domain names of the control servers, tracing out other commonly accessed domain name information, extracting the portion, which is judged to be the C & C domain name, of the other domain names to which the C & C domain name belongs, and expanding the portion to a botnet domain name feature library;
the traceability analysis unit is used for gathering the botnet alarm logs and the DNS logs associated with the botnet domain names, carrying out traceability analysis on the gathered logs, positioning the gathered logs to enterprises corresponding to the botnet hosts, analyzing national economic classifications of the enterprises to which the enterprises belong, obtaining the industry attributes of the enterprises, screening industrial enterprises influenced by the botnet domain names according to the industry attributes of the enterprises, analyzing the number of industrial enterprises controlled by the botnet, the number of IP addresses corresponding to the industrial enterprises and the attack times, and analyzing the activity conditions of the botnet families.
In one possible embodiment, the botnet alert log comprises: attack time, threat category, severity level, attack end IP, destination end IP, source port, destination port, source IP service, destination IP service, transport layer protocol, application layer protocol, attack load, domain name, and the family to which the domain name belongs.
In one possible embodiment, the DNS log information includes: domain name, destination IP, source IP, volume of access.
In one possible embodiment, the method for determining other domain names as C & C domain names includes: domain name similarity algorithm.
According to a third aspect of the present disclosure, there is provided an electronic device comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method according to the first aspect when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of the first aspect.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required in the embodiments will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts. The foregoing and other objects, features and advantages of the application will be apparent from the accompanying drawings. Like reference numerals refer to like parts throughout the drawings. The drawings are not intended to be to scale as practical, emphasis instead being placed upon illustrating the subject matter of the present application.
Figure 1 illustrates a schematic diagram of a typical botnet, according to an embodiment of the present disclosure.
Figure 2 illustrates a schematic diagram of a typical botnet liveness analysis method, according to an embodiment of the present disclosure.
Figure 3 shows a schematic diagram of the detailed steps of a typical botnet liveness analysis method according to an embodiment of the present disclosure.
Figure 4 illustrates a schematic diagram of an exemplary botnet liveness analysis system, in accordance with an embodiment of the present disclosure.
Fig. 5 shows a schematic structural diagram of an electronic device for implementing an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "a", "an" and "the", and the like, as used herein, are also intended to include the meaning of "a plurality" and "the" unless the context clearly indicates otherwise. Furthermore, the terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
The industrial internet is a key network infrastructure which meets the development requirement of industrial intelligence, has the characteristics of low time delay, high reliability and wide coverage, and is a new state and application mode formed by the deep fusion of a new generation of information communication technology and advanced manufacturing industry. The industrial internet deeply changes the innovation, production, management and service modes of the traditional industry, promotes new technology, new mode, new state and new industry, and becomes a new foundation for flourishing digital economy, a new approach for innovative network international governance and a new engine for overall construction of two strong countries.
The industrial internet comprises three systems of network, platform and safety. Wherein, the network system is the foundation, the platform system is the core, and the security system is the guarantee. After the industrial internet moves from a closed environment to an open environment, the industrial internet faces huge security threats: on one hand, the industrial internet security breaks through the relatively clear responsibility boundary in the past, the influence of the range, complexity and risk degree is much larger, and the problems of the industrial internet platform security, data security, networking intelligent equipment security and the like are more prominent; on the other hand, industrial internet security work needs to be planned in a more global view from institutional construction, national capability, industrial support and the like, and many enterprises are not aware of security deployment at present. Therefore, industrial internet security becomes a key factor for developing industrial internet.
In recent years, industrial internets in various regions are rapidly developed, and the security risk is prominent. Especially, industrial enterprises have weak security event monitoring and prevention capability, botnets and other events affecting the network security of the enterprises are hidden for a long time, the overall security situation of the industry is severe, and the security supervision requirement is increasingly urgent.
Botnet is an important security threat, and at present, network security probes are mainly deployed in metropolitan area network traffic, so that the deployment is complex, the cost is high, and the large-range coverage of industrial enterprise traffic cannot be realized. Therefore, the activity condition, the influence range and the like of each botnet family in the industrial enterprise cannot be mastered, so that an effective technical means is needed to be established to quickly monitor the active condition of the current mainstream botnet family in the industrial enterprise, including the quantity and the ranking of the industrial enterprises influenced by each botnet family, the quantity and the ranking of the IP addresses of the influenced industrial enterprises, the attack times and the ranking and the like, and provide data support for the follow-up work of a supervision unit.
In view of this, an object of the embodiments of the present disclosure is to provide a method and a system for analyzing the liveness of botnets, which are used to quickly monitor the activity of the current mainstream botnet families in the industrial enterprises, including the number and ranking of the industrial enterprises affected by each botnet family, the number and ranking of the IP addresses of the affected industrial enterprises, the number and ranking of attacks, and the like, and provide data support for the subsequent work of the supervision unit. Therefore, the problem that the controlled condition of the botnet corresponding to the industrial enterprise cannot be analyzed in the prior art is solved, the monitoring flow cost for covering a large number of industrial enterprises is reduced, and the latest activity condition of the botnet in the industrial enterprise is mastered more comprehensively and timely.
The present disclosure is described in detail below with reference to the attached drawings.
Figure 1 illustrates a schematic diagram of a typical botnet, according to an embodiment of the present disclosure.
Botnet refers to a network formed by an attacker or a controller spreading botnet programs to control a large number of hosts and one-to-many commands and control channels, and achieves the purpose of sending control instructions to a controlled computer and instructing a parasitic trojan horse to execute a preset malicious action.
Figure 2 illustrates a schematic diagram of a typical botnet liveness analysis method, according to an embodiment of the present disclosure.
Figure 3 shows a schematic diagram of the detailed steps of a typical botnet liveness analysis method according to an embodiment of the present disclosure.
Step 201, extracting botnet alarm logs from the safety alarm logs according to preset query conditions, extracting botnet families from the botnet alarm logs, and performing duplicate removal.
In step 201, three substeps 2011, 2012, 2013 are also included.
Step 2011: and acquiring the attack alarm log from the safety alarm log according to a preset query condition. The attack alarm log in the disclosure can be acquired from an industrial internet security monitoring and situation awareness platform.
Step 2012: extracting a botnet alarm log from the attack alarm log according to the characteristics and preset conditions of the botnet family;
step 2013: obtaining information from the extracted botnet alarm logs, comprising: attack time, threat category, severity level, attack end IP, destination end IP, source port, destination port, source IP service, destination IP service, transport layer protocol, application layer protocol, attack load, domain name family and the like. And extracting a botnet family from the botnet alarm log and removing the duplication.
Step 202, classifying and analyzing in the safety alarm log aiming at each botnet family to obtain a corresponding botnet domain name, and extracting an attack alarm log set corresponding to the botnet family according to the botnet domain name.
In step 202, a sub-step 2021 is also included.
Step 2021: and aiming at each botnet family, extracting the IP address, the protocol, the domain name, the service and the like of the affected botnet host from the alarm log according to each botnet family.
Step 203, analyzing the DNS log associated with the botnet domain name, acquiring a command for accessing the botnet and DNS log information of the C & C Server domain name of the control Server, tracing out information of other domain names which are commonly accessed, extracting a portion of the other domain names which is determined as the C & C domain name, to which the portion belongs, and expanding the portion to the botnet domain name feature library.
In step 203, five sub-steps 2031, 2032, 2033, 2034, 2035 are also included.
Step 2031: and associating the DNS log with the botnet domain name to acquire DNS log information of accessing the botnet command and the C & C Server domain name of the control Server, wherein the DNS log information at least comprises the domain name, the source IP, the destination IP, the access amount and the like.
Step 2032: and tracing out other commonly accessed domain name information through the source IP address. The method of tracing, the disclosure is not limited. For example: for a certain QQ environment, some basic information of an attacker can be inquired according to domain name information. The correspondence of an attacker QQ, a nickname and a domain name is found through an administrator mailbox, the attacker QQ is confirmed, meanwhile, the fact that a payment treasure is registered in the mailbox is found, the fact that the real name is Zhang III, and meanwhile, the fact that the attacker shares SS-R service in a forum is also found, so that the fact that the attacker is a DDoS victim is feared, and the attacker is the real identity. By the method, other domain name information is found through tracing, and the effect of tracing is achieved.
Step 2033: judging whether the other domain name information is a C & C domain name, a domain name similarity calculation method or other algorithms can be adopted, and the disclosure is not limited. For example: for each IP access, the domain name feature vector is computed using the Word Embedding (Word Embedding) algorithm. For example, the domain name feature vector is calculated by using word2vec and doc2vec algorithms. And performing domain name similarity calculation based on the domain name feature vector, and optionally calculating a vector cosine distance as the similarity. And judging the domain name with the similarity meeting the conditions as the C & C domain name.
Step 2034: and extracting DNS logs related to the botnet from the domain name judged to be the C & C domain name.
Step 2035: through the analysis of the DNS log, a botnet family to which the domain name belongs is further determined and is expanded to a botnet domain name feature library.
Step 204, summarizing the botnet alarm logs and DNS logs associated with the botnet domain names, performing source tracing analysis on the summarized logs, positioning the logs to enterprises corresponding to the botnet hosts, analyzing national economic classifications of the enterprises to obtain the industry attributes of the enterprises, screening industrial enterprises influenced by the botnet domain names according to the industry attributes of the enterprises, analyzing the number of industrial enterprises controlled by the botnet, the number of IP addresses corresponding to the industrial enterprises and the attack times, and analyzing the active conditions of the botnet families.
In step 204, eight sub-steps 2041, 2042, 2043, 2044, 2045, 2046, 2047, 2048 are also included.
Step 2041: and summarizing the botnet alarm log and the DNS log associated with the botnet domain name to generate a summarized log set.
Step 2042: and positioning the name of the enterprise to which the controlled terminal IP address belongs and positioning the enterprise corresponding to the zombie host. The positioning method may be implemented by using IP filing data, or other methods, which are not limited by this disclosure.
Step 2043: the business attribute of the enterprise is analyzed, and business registration information of the enterprise, including attributes such as enterprise name, industry and registered fund, can be crawled in a crawler mode and the like.
Step 2044: and (3) according to the industry attributes and the national economic industry classification (GB/T4754-2017) of the enterprise, judging whether the enterprise is an industrial enterprise (the industrial enterprise is three categories of mining industry, manufacturing industry and power, heating power, gas and water production and supply industry in the national economic classification, and 41 categories) under the influence of the botnet domain name.
Step 2045: and acquiring a zombie alarm log and a DNS access log related to the industrial enterprise. This may be accomplished by associating the business information with the log information.
Step 2046: and analyzing the number of industrial enterprises controlled by the botnet, the number of IP addresses corresponding to the industrial enterprises, the attack times and the like. Alarm logs and DNS logs are gathered through botnet families, and the number of industrial enterprises, the number of IP addresses and the attack times corresponding to each family are analyzed.
Step 2047: and analyzing the botnet families with the largest number of influencing industrial enterprises, the largest number of botnet hosts for controlling the industrial enterprises and the largest total counting times, or selecting a plurality of botnet families with the activity condition indexes in the threshold range according to the requirements.
Step 2048: alarms and treatments, or other recommendations are issued.
By the botnet activity analysis method, a plurality of data sources are associated, and the activity of each botnet family in an industrial internet enterprise can be monitored in real time. Meanwhile, flow monitoring equipment does not need to be deployed at the exits of all industrial enterprises, so that more controlled zombie hosts can be related and traced through known zombie families and zombie network domain names and DNS log information, the effect is better, and the cost is lower. And reversely analyzing the domain name accessed by the controlled zombie host through DNS log information, analyzing more zombie network domain names through a domain name similarity correlation algorithm, and automatically updating a zombie network feature library. By the method, the botnet family with the highest liveness in the industrial enterprise can be mastered in real time, and early warning and disposal or other suggestions and the like are given out.
Figure 4 illustrates a schematic diagram of an exemplary botnet liveness analysis system, in accordance with an embodiment of the present disclosure. The system 400, applied to the industrial internet, includes:
a botnet family extracting unit 401, configured to extract a botnet alarm log from the security alarm log according to a preset query condition, extract a botnet family from the botnet alarm log, and perform deduplication;
an alarm log analysis unit 402, configured to perform classification analysis on the security alarm logs for each botnet family to obtain a corresponding botnet domain name, and extract an attack alarm log set corresponding to the botnet family according to the botnet domain name;
a DNS association analysis unit 403, configured to analyze a DNS log associated with a botnet domain name, acquire a command for accessing the botnet and DNS log information of a C & C Server domain name of a control Server, trace out other domain name information commonly accessed, extract a botnet family to which a part of the other domain name determined as the C & C domain name belongs, and extend the extracted part to a botnet domain name feature library;
the traceability analysis unit 404 is configured to collect botnet alarm logs and DNS logs associated with botnet domain names, perform traceability analysis on the collected logs, locate an enterprise corresponding to a botnet host, analyze national economic classifications to which the enterprise belongs, obtain industry attributes of the enterprise, screen out industrial enterprises affected by the botnet domain names according to the industry attributes of the enterprise, analyze the number of industrial enterprises controlled by the botnet, the number of IP addresses corresponding to the industrial enterprises, and the attack times, and analyze activity conditions of botnet families.
Fig. 5 shows a schematic structural diagram of an electronic device for implementing an embodiment of the present disclosure. As shown in fig. 5, the electronic apparatus 500 includes a Central Processing Unit (CPU) 501 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the electronic apparatus 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer-readable medium bearing instructions that, in such embodiments, may be downloaded and installed from a network via the communication section 509, and/or installed from the removable media 511. The various method steps described in this disclosure are performed when the instructions are executed by a Central Processing Unit (CPU) 501.
Although example embodiments have been described, it will be apparent to those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the disclosed concept. Accordingly, it should be understood that the above-described exemplary embodiments are not limiting, but illustrative.

Claims (10)

1. A botnet activity analysis method is applied to an industrial internet and comprises the following steps:
extracting botnet alarm logs from the safety alarm logs according to preset query conditions, extracting botnet families from the botnet alarm logs, and removing duplication;
classifying and analyzing the security alarm logs aiming at each botnet family to obtain corresponding botnet domain names, and extracting attack alarm log sets corresponding to the botnet families according to the botnet domain names;
analyzing DNS logs associated with the botnet domain name to obtain a command for accessing the botnet and DNS log information of a C & C Server domain name of a control Server, tracing out other domain name information commonly accessed, extracting a portion of the other domain names which is judged to be the C & C domain name to obtain a botnet family to which the portion belongs, and expanding the portion to a botnet domain name feature library;
the method comprises the steps of collecting botnet alarm logs and DNS logs related to botnet domain names, conducting traceability analysis on the collected logs, locating enterprises corresponding to the botnet hosts, analyzing national economic classifications of the enterprises to obtain industrial attributes of the enterprises, screening industrial enterprises affected by the botnet domain names according to the industrial attributes of the enterprises, analyzing the number of industrial enterprises controlled by the botnets, the number of IP addresses corresponding to the industrial enterprises and the number of attacks, selecting a plurality of botnet families with active condition indexes within a threshold range, and analyzing the active conditions of the botnet families.
2. The method of claim 1, the botnet alert log comprising at least: attack time, threat category, severity level, attack end IP, destination end IP, source port, destination port, source IP service, destination IP service, transport layer protocol, application layer protocol, attack load, domain name, and the family to which the domain name belongs.
3. The method of claim 1, the DNS log information comprising at least: domain name, destination IP, source IP, volume of access.
4. The method of claim 1, wherein the method of determining the other domain names as C & C domain names comprises: domain name similarity algorithm.
5. An analysis system for botnet liveness is applied to industrial internet, and comprises:
the botnet family extracting unit is used for extracting a botnet alarm log from the safety alarm log according to a preset query condition, extracting a botnet family from the botnet alarm log and removing duplication;
the alarm log analysis unit is used for classifying and analyzing the safety alarm logs aiming at each botnet family to obtain a corresponding botnet domain name, and extracting an attack alarm log set corresponding to the botnet family according to the botnet domain name;
the DNS association analysis unit is used for analyzing DNS logs associated with the botnet domain names, acquiring commands for accessing the botnets and DNS log information of C & C Server domain names of the control servers, tracing out other commonly accessed domain name information, extracting the portion, which is judged to be the C & C domain name, of the other domain names to which the C & C domain name belongs, and expanding the portion to a botnet domain name feature library;
the traceability analysis unit is used for gathering the botnet alarm logs and DNS logs associated with the botnet domain names, carrying out traceability analysis on the gathered logs, positioning to enterprises corresponding to the botnet hosts, analyzing national economic classifications of the enterprises to which the enterprises belong, obtaining the industry attributes of the enterprises, screening out industrial enterprises influenced by the botnet domain names according to the industry attributes of the enterprises, analyzing the number of industrial enterprises controlled by the botnets, the number of IP addresses corresponding to the industrial enterprises and the attack times, selecting a plurality of botnet families with active condition indexes within a threshold range, and analyzing the active conditions of the botnet families.
6. The system of claim 5, the botnet alert log comprising: attack time, threat category, severity level, attack end IP, destination end IP, source port, destination port, source IP service, destination IP service, transport layer protocol, application layer protocol, attack load, domain name, and the family to which the domain name belongs.
7. The system of claim 5, the DNS log information comprising: domain name, destination IP, source IP, volume of access.
8. The system of claim 5, wherein the method for determining the other domain names as C & C domain names comprises: domain name similarity algorithm.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs;
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-4.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 4.
CN202011531361.0A 2020-12-22 2020-12-22 Botnet activity degree analysis method and system Active CN112839029B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011531361.0A CN112839029B (en) 2020-12-22 2020-12-22 Botnet activity degree analysis method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011531361.0A CN112839029B (en) 2020-12-22 2020-12-22 Botnet activity degree analysis method and system

Publications (2)

Publication Number Publication Date
CN112839029A CN112839029A (en) 2021-05-25
CN112839029B true CN112839029B (en) 2023-02-17

Family

ID=75923872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011531361.0A Active CN112839029B (en) 2020-12-22 2020-12-22 Botnet activity degree analysis method and system

Country Status (1)

Country Link
CN (1) CN112839029B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115102785B (en) * 2022-07-25 2022-11-18 远江盛邦(北京)网络安全科技股份有限公司 Automatic tracing system and method for network attack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN106657001A (en) * 2016-11-10 2017-05-10 广州赛讯信息技术有限公司 Botnet detection method based on Netflow and DNS blog
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
CN110430199A (en) * 2019-08-08 2019-11-08 杭州安恒信息技术股份有限公司 Identify the method and system of Internet of Things Botnet attack source

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8555388B1 (en) * 2011-05-24 2013-10-08 Palo Alto Networks, Inc. Heuristic botnet detection
US9088606B2 (en) * 2012-07-05 2015-07-21 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
US11374897B2 (en) * 2018-01-15 2022-06-28 Shenzhen Leagsoft Technology Co., Ltd. CandC domain name analysis-based botnet detection method, device, apparatus and medium
CN110417709B (en) * 2018-04-27 2022-01-21 南宁富桂精密工业有限公司 Early warning method for Lesso software attack, server and computer readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924757A (en) * 2010-07-30 2010-12-22 中国电信股份有限公司 Method and system for reviewing Botnet
CN106657001A (en) * 2016-11-10 2017-05-10 广州赛讯信息技术有限公司 Botnet detection method based on Netflow and DNS blog
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
CN110430199A (en) * 2019-08-08 2019-11-08 杭州安恒信息技术股份有限公司 Identify the method and system of Internet of Things Botnet attack source

Also Published As

Publication number Publication date
CN112839029A (en) 2021-05-25

Similar Documents

Publication Publication Date Title
EP3343867B1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
CN114584405B (en) Electric power terminal safety protection method and system
CN101610174B (en) Log correlation analysis system and method
CN114070629B (en) Security arrangement and automatic response method, device and system for APT attack
CN105009132A (en) Event correlation based on confidence factor
KR102088310B1 (en) Risk Index Correction System Based on Attack Frequency, Asset Importance, and Severity
CN114301712B (en) Industrial internet alarm log correlation analysis method and system based on graph method
KR101692982B1 (en) Automatic access control system of detecting threat using log analysis and automatic feature learning
CN113642023A (en) Data security detection model training method, data security detection device and equipment
CN108234426B (en) APT attack warning method and APT attack warning device
CN113987504A (en) Vulnerability detection method for network asset management
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN110798353B (en) Network behavior risk perception and defense method based on behavior characteristic big data analysis
CN115795330A (en) Medical information anomaly detection method and system based on AI algorithm
CN113965497B (en) Server abnormity identification method and device, computer equipment and readable storage medium
CN112839029B (en) Botnet activity degree analysis method and system
CN116827697B (en) Push method of network attack event, electronic equipment and storage medium
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN112596984A (en) Data security situation sensing system under weak isolation environment of service
CN113132370A (en) Universal integrated safety pipe center system
CN113162904B (en) Power monitoring system network security alarm evaluation method based on probability graph model
CN115277472A (en) Network security risk early warning system and method for multidimensional industrial control system
CN113032774B (en) Training method, device and equipment of anomaly detection model and computer storage medium
CN114500122A (en) Specific network behavior analysis method and system based on multi-source data fusion
CN112637142B (en) Security threat tracing method and system based on power network environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant